CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
bc230f7cd55c7466ea46a76dc71b0759d0b94474
hayabusa/rules/sigma/file_event/file_event_lsass_dump.yml
Yamato Security 015899bc51 ルール更新 (#224)
2021-11-23 15:04:03 +09:00

38 lines
879 B
YAML
Raw Blame History

title: LSASS Process Memory Dump Files
author: Florian Roth
date: 2021/11/15
description: Detects file names used by different memory dumping tools to create a
memory dump of the LSASS process memory, which contains user credentials
detection:
SELECTION_1:
EventID: 11
SELECTION_2:
TargetFilename:
- '*\lsass.dmp'
- '*\lsass.zip'
- '*\lsass.rar'
SELECTION_3:
TargetFilename:
- '*\lsass_2*'
- '*\lsassdump*'
- '*\lsassdmp*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Unknown
id: a5a2d357-1ab8-4675-a967-ef9990a59391
level: high
logsource:
category: file_event
product: windows
references:
- https://www.google.com/search?q=procdump+lsass
related:
- id: db2110f3-479d-42a6-94fb-d35bc1e46492
type: obsoletes
status: experimental
tags:
- attack.credential_access
- attack.t1003.001
- attack.t1003
Reference in New Issue View Git Blame Copy Permalink